[Asterisk-code-review] res_pjsip_outbound_authenticaor_digest: Be tolerant of RFC8760 UASs (asterisk[16])

George Joseph asteriskteam at digium.com
Thu Apr 15 10:50:13 CDT 2021


George Joseph has uploaded this change for review. ( https://gerrit.asterisk.org/c/asterisk/+/15764 )


Change subject: res_pjsip_outbound_authenticaor_digest: Be tolerant of RFC8760 UASs
......................................................................

res_pjsip_outbound_authenticaor_digest: Be tolerant of RFC8760 UASs

RFC8760 adds support for the following digest algorithms in
addition to MD5:

SHA-256
SHA-256-sess
SHA512-256
SHA512-256-sess

It also allows multiple WWW-Authenticate headers, each with a
different algorithm so a UAS could send the following (parameters
other than algorithm omitted for clarity):

WWW-Authenticate: Digest ... algorithm=sha512-256
WWW-Authenticate: Digest ... algorithm=sha256
WWW-Authenticate: Digest ... algorithm=md5

Currently though, both Asterisk's
res_pjsip_outbound_authenticaor_digest get_auth_header() function
and pjproject's sip_auth_client pjsip_auth_clt_reinit_req()
function return errors if the first WWW-Authenticate header has
a digest algorithm other than MD5.  So, both functions now
search through all WWW-Authenticate headers and only fail if
one that has a header we support (currently only MD5) can't
be found.

Discovered during OpenSIPit 2021.

ASTERISK-29397

Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281
---
M res/res_pjsip_outbound_authenticator_digest.c
A third-party/pjproject/patches/0090-sip_auth_client-Be-tolerant-of-unsupported-digest-al.patch
2 files changed, 77 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/64/15764/1

diff --git a/res/res_pjsip_outbound_authenticator_digest.c b/res/res_pjsip_outbound_authenticator_digest.c
index 5f6d994..1ea7f5a 100644
--- a/res/res_pjsip_outbound_authenticator_digest.c
+++ b/res/res_pjsip_outbound_authenticator_digest.c
@@ -31,10 +31,15 @@
 #include "asterisk/module.h"
 #include "asterisk/strings.h"
 
+pj_str_t supported_digest_algorithms[] = {
+	{ "MD5", 3}
+};
+
 static pjsip_www_authenticate_hdr *get_auth_header(pjsip_rx_data *challenge,
 	const void *start)
 {
 	pjsip_hdr_e search_type;
+	pjsip_www_authenticate_hdr *auth_header = NULL;
 
 	if (challenge->msg_info.msg->line.status.code == PJSIP_SC_UNAUTHORIZED) {
 		search_type = PJSIP_H_WWW_AUTHENTICATE;
@@ -47,7 +52,27 @@
 		return NULL ;
 	}
 
-	return pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, start);
+	/*
+	 * RFC8760 allows more than one WWW-Authenticate header each with
+	 * different digest algorithms including new ones like SHA-256 and SHA-512-256.
+	 * We need to go through all of the headers and find one that has an
+	 * algorithm we support and only return NULL if we've gone through them all
+	 * and can't find one.
+	 *
+	 * FYI: This has to be paired with a similar change in pjproject's
+	 * pjsip_auth_clt_reinit_req() function for which a patch to Teluu
+	 * has been submitted.
+	 */
+	while ((auth_header = pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, auth_header ? auth_header->next : start))) {
+		int digest = 0;
+		for (digest = 0; digest < ARRAY_LEN(supported_digest_algorithms); digest++) {
+			if (pj_stricmp(&auth_header->challenge.digest.algorithm, &supported_digest_algorithms[digest]) == 0) {
+				return auth_header;
+			}
+		}
+	}
+
+	return NULL;
 
 }
 
diff --git a/third-party/pjproject/patches/0090-sip_auth_client-Be-tolerant-of-unsupported-digest-al.patch b/third-party/pjproject/patches/0090-sip_auth_client-Be-tolerant-of-unsupported-digest-al.patch
new file mode 100644
index 0000000..389c4e8
--- /dev/null
+++ b/third-party/pjproject/patches/0090-sip_auth_client-Be-tolerant-of-unsupported-digest-al.patch
@@ -0,0 +1,51 @@
+From 902b08e983eebf78c8cf7fd9b259ff286e9d2d84 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph at sangoma.com>
+Date: Thu, 15 Apr 2021 08:40:55 -0600
+Subject: [PATCH] sip_auth_client:  Be tolerant of unsupported digest
+ algorithms
+
+RFC8760 adds support for the following digest algorithms in
+addition to MD5:
+
+SHA-256
+SHA-256-sess
+SHA512-256
+SHA512-256-sess
+
+It also allows multiple WWW-Authenticate headers, each with a
+different algorithm so a UAS could send the following (parameters
+other than algorithm omitted for clarity):
+
+WWW-Authenticate: Digest ... algorithm=sha512-256
+WWW-Authenticate: Digest ... algorithm=sha256
+WWW-Authenticate: Digest ... algorithm=md5
+
+Currently though, since pjsip_auth_clt_reinit_req() can only
+handle MD5, it returns an error if the first WWW-Authenticate
+header specifies an algorithm isn't MD5.  So, to account for the
+possibility of receiving more than one header,
+pjsip_auth_clt_reinit_req() has been modified to continue to
+search for a WWW-Authenticate header that it can handle. Only if
+it ultimately can't find one does it return an error.
+---
+ pjsip/src/pjsip/sip_auth_client.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/pjsip/src/pjsip/sip_auth_client.c b/pjsip/src/pjsip/sip_auth_client.c
+index 828b04db9..88518c37c 100644
+--- a/pjsip/src/pjsip/sip_auth_client.c
++++ b/pjsip/src/pjsip/sip_auth_client.c
+@@ -1194,6 +1194,10 @@ PJ_DEF(pj_status_t) pjsip_auth_clt_reinit_req(	pjsip_auth_clt_sess *sess,
+ 	    break;
+ 
+ 	hchal = (const pjsip_www_authenticate_hdr*)hdr;
++	if (pj_stricmp(&hchal->challenge.digest.algorithm, &pjsip_MD5_STR) != 0) {
++		hdr = hdr->next;
++		continue;
++	}
+ 	++chal_cnt;
+ 
+ 	/* Find authentication session for this realm, create a new one
+-- 
+2.31.1
+

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/15764
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 16
Gerrit-Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281
Gerrit-Change-Number: 15764
Gerrit-PatchSet: 1
Gerrit-Owner: George Joseph <gjoseph at digium.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20210415/f05dcbdb/attachment-0001.html>


More information about the asterisk-code-review mailing list